Re: PEM vs. DER
[EMAIL PROTECTED] writes: "Ralf S. Engelschall" [EMAIL PROTECTED] writes: [snip] Ok, ok, when I understand you correctly, you want that mod_ssl can read any combination Let's see what I can do. Much appreciated! Though I don't think every combination is required. At least not by us. DER Base64 encoding of PKCS#5/8 keys, and DER Base64 encoding of raw X.509 certs would be a nice start. Turns out the PKCS 5 and 8 support in OpenSSL isn't quite there yet. Or at least that's the conclusion I've come to. We've managed to cobble something together from another toolkit. Though the cert reading works nicely. Thanks again Ralf. -Tom -- Tom Vaughan tvaughan at aventail dot com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: PEM vs. DER
On Thu, Mar 04, 1999, [EMAIL PROTECTED] wrote: If I wanted mod_ssl to use DER Base64 encoded certs by default, would it be as simple as doing a `perl -pi -e 's/PEM/DER/g;'` to the mod_ssl source files, and then adding '-outform DER' to makecrt.sh where appropriate? (compile and install afterwards of course) No, it isn´t such easy, because not all _PEM functions of OpenSSL have direct DER counterparts. But DER cert/key loading can be supported with a little bit of extra code, of course. But the question is: why do you want to use DER? The conversion via "openssl x509 ..." is trivial... So, what´s the reasons? Perhaps it´s actually interesting to support DER in mod_ssl in general? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM vs. DER
"Ralf S. Engelschall" [EMAIL PROTECTED] writes: On Thu, Mar 04, 1999, [EMAIL PROTECTED] wrote: If I wanted mod_ssl to use DER Base64 encoded certs by default, would it be as simple as doing a `perl -pi -e 's/PEM/DER/g;'` to the mod_ssl source files, and then adding '-outform DER' to makecrt.sh where appropriate? (compile and install afterwards of course) No, it isn´t such easy, because not all _PEM functions of OpenSSL have direct DER counterparts. But DER cert/key loading can be supported with a little bit of extra code, of course. But the question is: why do you want to use DER? The conversion via "openssl x509 ..." is trivial... So, what´s the reasons? Perhaps it´s actually interesting to support DER in mod_ssl in general? Because we, http://www.aventail.com/, are using Apache+mod_ssl+SSLeay in a "soon to be released" product. This new product will co-exist with our extranet server. This extranet server is ssl capable but uses some other ssl toolkit that only does DER Base64. Which means our existing cert management tools only do DER Base64. This is why I need mod_ssl to support DER Base64. My guess is that DER Base64 would be desirable whenever you'd like to have mod_ssl play nicely with anything from the commercial, proprietary, non-free world. -Tom __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM vs. DER
On Fri, Mar 05, 1999, [EMAIL PROTECTED] wrote: If I wanted mod_ssl to use DER Base64 encoded certs by default, would it be as simple as doing a `perl -pi -e 's/PEM/DER/g;'` to the mod_ssl source files, and then adding '-outform DER' to makecrt.sh where appropriate? (compile and install afterwards of course) No, it isn´t such easy, because not all _PEM functions of OpenSSL have direct DER counterparts. But DER cert/key loading can be supported with a little bit of extra code, of course. But the question is: why do you want to use DER? The conversion via "openssl x509 ..." is trivial... So, what´s the reasons? Perhaps it´s actually interesting to support DER in mod_ssl in general? Because we, http://www.aventail.com/, are using Apache+mod_ssl+SSLeay in a "soon to be released" product. This new product will co-exist with our extranet server. This extranet server is ssl capable but uses some other ssl toolkit that only does DER Base64. Which means our existing cert management tools only do DER Base64. This is why I need mod_ssl to support DER Base64. My guess is that DER Base64 would be desirable whenever you'd like to have mod_ssl play nicely with anything from the commercial, proprietary, non-free world. Ok, sounds like a reasonable suggestion. But do you want DER+Base64 or just plain DER? Because DER is a binary format while DER+Base64 is the binary plus Base64 transformed and PEM is actually DER+Base64+Header/Footer. So, what exactly do you understand under "DER Base64"? Do you want plain DER or really DER+Base64? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM vs. DER
On Fri, Mar 05, 1999, [EMAIL PROTECTED] wrote: "Ralf S. Engelschall" [EMAIL PROTECTED] writes: [snip] Ok, sounds like a reasonable suggestion. But do you want DER+Base64 or just plain DER? Because DER is a binary format while DER+Base64 is the binary plus Base64 transformed and PEM is actually DER+Base64+Header/Footer. So, what exactly do you understand under "DER Base64"? Do you want plain DER or really DER+Base64? I defer to our resident munitions expert, Marc VanHeyningen... blockquote We try to be liberal in what we accept, so we can read plain DER as well as DER+Base64 in many cases; for example, trusted roots can be specified in either, but if it's plain DER there isn't any good way to specify 1 root while DER+Base64 makes it easy to have multiple roots, look at them, cut and paste them, etc. Credentials files (socks5.certs and friends), simiarly, have to contain multiple objects (private key, certificate chain of 1 certificate) and so the easiest way to store those multiple objects with labels of which is what is by using base64 with BEGIN FOO- headers and footers. This also makes it easier to sanity check files by looking at them in text editors, reduces headaches with customers who occasionally have to email those files to support, etc. Obviously it makes the files slightly larger but that seems a small price to pay. Unless I'm misunderstanding him, I disagree with his assertion that PEM is "just" DER + base64 + header/footer; the headers/footers added by PEM are more complex than what we use, and what exactly goes in the DER is often a bit different, assuming he means the DER of the PKCS stuff rather than the PEM stuff. Our private key, for instance, is stored per PKCS#5/8, not per any PEM standard; certificates are raw X.509 DERs, base64-encoded with -BEGIN CERTIFICATE- thrown in front. /blockquote Ok, ok, when I understand you correctly, you want that mod_ssl can read any combination Let's see what I can do. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM vs. DER
"Ralf S. Engelschall" [EMAIL PROTECTED] writes: [snip] Ok, ok, when I understand you correctly, you want that mod_ssl can read any combination Let's see what I can do. Much appreciated! Though I don't think every combination is required. At least not by us. DER Base64 encoding of PKCS#5/8 keys, and DER Base64 encoding of raw X.509 certs would be a nice start. -Tom __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM vs. DER
On Fri, Mar 05, 1999, [EMAIL PROTECTED] wrote: "Ralf S. Engelschall" [EMAIL PROTECTED] writes: [snip] Ok, ok, when I understand you correctly, you want that mod_ssl can read any combination Let's see what I can do. Much appreciated! Though I don't think every combination is required. At least not by us. DER Base64 encoding of PKCS#5/8 keys, and DER Base64 encoding of raw X.509 certs would be a nice start. Ok, with the appended patch I was at least able to load PEM, DER+Base64 and plain DER server.crt and server.key files. Please try it out with your cert/keys and give me feedback, please. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Index: ssl_engine_pphrase.c === RCS file: /e/apache/SSL/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_pphrase.c,v retrieving revision 1.28 diff -u -r1.28 ssl_engine_pphrase.c --- ssl_engine_pphrase.c1999/03/04 09:25:47 1.28 +++ ssl_engine_pphrase.c1999/03/05 21:49:53 @@ -136,8 +136,7 @@ "Init: Can't open server certificate file %s", szPath); ssl_die(); } -pX509Cert = X509_new(); -if (!PEM_read_X509(fp, pX509Cert, NULL)) { +if ((pX509Cert = SSL_read_X509(fp, NULL, NULL)) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Unable to read server certificate from file %s", szPath); ssl_die(); @@ -194,7 +193,6 @@ myCtxVarSet(mc, 8, nPassPhraseDialogCur); myCtxVarSet(mc, 9, bPassPhraseDialogOnce); -pRSAKey = RSA_new(); nPassPhraseCur= 0; nPassPhraseRetry = 0; nPassPhraseDialogCur = 0; @@ -212,8 +210,8 @@ ssl_die(); } cpPassPhraseCur = NULL; -bReadable = (PEM_read_RSAPrivateKey(fp, pRSAKey, - ssl_pphrase_Handle_CB) ? TRUE : FALSE); +bReadable = ((pRSAKey = SSL_read_RSAPrivateKey(fp, NULL, + ssl_pphrase_Handle_CB)) != NULL ? TRUE : FALSE); ap_pfclose(p, fp); /* Index: ssl_util_ssl.c === RCS file: /e/apache/SSL/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_util_ssl.c,v retrieving revision 1.3 diff -u -r1.3 ssl_util_ssl.c --- ssl_util_ssl.c 1999/03/04 09:25:47 1.3 +++ ssl_util_ssl.c 1999/03/05 21:42:01 @@ -92,3 +92,85 @@ return; } +/* _ +** +** High-Level Certificate / Private Key Loading +** _ +*/ + +X509 *SSL_read_X509(FILE *fp, X509 **x509, int (*cb)()) +{ +X509 *rc; +BIO *bioS; +BIO *bioF; + +/* 1. try PEM (= DER+Base64+headers) */ +rc = PEM_read_X509(fp, x509, cb); +if (rc == NULL) { +/* 2. try DER+Base64 */ +fseek(fp, 0L, SEEK_SET); +if ((bioS = BIO_new(BIO_s_fd())) == NULL) +return NULL; +BIO_set_fd(bioS, fileno(fp), BIO_NOCLOSE); +if ((bioF = BIO_new(BIO_f_base64())) == NULL) + return NULL; +bioS = BIO_push(bioF, bioS); +rc = d2i_X509_bio(bioS, NULL); +BIO_free(bioF); +BIO_free(bioS); +if (rc == NULL) { +/* 3. try plain DER */ +fseek(fp, 0L, SEEK_SET); +if ((bioS = BIO_new(BIO_s_fd())) == NULL) +return NULL; +BIO_set_fd(bioS, fileno(fp), BIO_NOCLOSE); +rc = d2i_X509_bio(bioS, NULL); +BIO_free(bioS); +} +} +if (rc != NULL x509 != NULL) { +if (*x509 != NULL) +X509_free(*x509); +*x509 = rc; +} +return rc; +} + +RSA *SSL_read_RSAPrivateKey(FILE *fp, RSA **rsa, int (*cb)()) +{ +RSA *rc; +BIO *bioS; +BIO *bioF; + +/* 1. try PEM (= DER+Base64+headers) */ +rc = PEM_read_RSAPrivateKey(fp, rsa, cb); +if (rc == NULL) { +/* 2. try DER+Base64 */ +fseek(fp, 0L, SEEK_SET); +if ((bioS = BIO_new(BIO_s_fd())) == NULL) +return NULL; +BIO_set_fd(bioS, fileno(fp), BIO_NOCLOSE); +if ((bioF = BIO_new(BIO_f_base64())) == NULL) + return NULL; +bioS = BIO_push(bioF, bioS); +rc = d2i_RSAPrivateKey_bio(bioS, NULL); +BIO_free(bioF); +BIO_free(bioS); +if (rc == NULL) { +/* 3. try plain DER */ +fseek(fp, 0L, SEEK_SET); +if ((bioS = BIO_new(BIO_s_fd())) == NULL) +return NULL; +BIO_set_fd(bioS, fileno(fp), BIO_NOCLOSE); +rc = d2i_RSAPrivateKey_bio(bioS, NULL); +BIO_free(bioS); +} +} +if (rc != NULL rsa != NULL) { +if (*rsa != NULL) +